Avast antivirus network hacked in ‘cyberespionage attempt’

21 Oct 2019

Image: Avast

Avast was yet again subject to an attack from threat actors, though the company maintains that users of the service are safe and protected.

Security company Avast revealed today (21 October) that it was hacked. A company statement detailed how a threat actor accessed the company’s systems through a compromised VPN profile that “had erroneously been kept enabled and did not require 2FA [two-factor authentication]”.

It said that the threat actor successfully used the credentials to access Avast’s internal network. Though the associated account did not initially have domain privileges, the actor was able to obtain them through successful privilege escalation. Avast ascertained through analysis of its external IPs that the actor had been trying to access the VPN since May.

“Global software companies are increasingly being targeted for disruptive attacks, cyberespionage and even nation-state level sabotage, as evidenced by the many reports of data breaches and supply chain attacks over the last few years,” the statement said.

“At Avast, we constantly work hard to stay ahead of the bad guys and to fight off attacks on our users. It is therefore not so surprising that we ourselves could be a target.”

‘Extremely sophisticated attempt’

The company believes that the hackers were attempting to install malware in its CCleaner software. However, it stated that users of the service are protected and unaffected.

Avast, a Czech company, is partnering with the state’s intelligence agency, along with the local police force’s cybersecurity division and an external forensics team to further investigate the crime.

Comparisons have already been drawn between the most recent attack and a previous assault on CCleaner in 2017, which saw threat actors illegally modify a version of the software before it was released to the public.

“It is clear that this was an extremely sophisticated attempt against us that had the intention to leave no traces of the intruder or their purpose, and that the actor was progressing with exceptional caution in order to not be detected,” the company added.

CCleaner said that it rigorously monitors and tests its systems. “Through this monitoring, it came to our attention recently that cybercriminals may have been planning to target us,” it added.

“Although we found no indications that any users were affected, our users’ security is of utmost importance to us so we took immediate action to update users, proactively revoke the prior product certificate and issue a new one.”

Updated, 9.45am, 23 October 2019: This article was updated to include comments from CCleaner.

Eva Short was a journalist at Silicon Republic

editorial@siliconrepublic.com